summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* iterate: fix NSEC3 records missing from answer in an edge caseVladimír Čunát2024-05-292-1/+10
| | | | | | | | | | | When positive wildcard expansion happens, NSEC(3) records are needed to prove that the expansion was allowed. If the NSEC3 had too many iterations, we downgrade the answer to insecure status, but unintentionally we also dropped the NSEC3 record from the answer. That was breaking DNSSEC validation of that answer, e.g. when forwarding to Knot Resolver. The validator needs the NSEC3 - either to validate the expansion or to determine that it's too expensive.
* Merge !1544: modules/stats: split IPv4 and IPv6 stats (version 5.x)Vladimír Čunát2024-05-273-8/+67
|\
| * NEWS: stats splitOto Šťáva2024-05-271-0/+7
| |
| * modules/stats: add back stats dropped in the previous commitVladimír Čunát2024-05-201-0/+40
| | | | | | | | Just as read-only aggregates of the split v4+v6 pairs.
| * modules/stats: split request.* metrics to IPv4 and IPv6Vladimír Čunát2024-05-201-8/+16
| | | | | | | | | | | | Let's have .total4 and .total6, too. Then .total could be expressed as a sum of *three* (including .internal), so it's still counted separately, as an exception.
| * modules/stats: add answer.sum_ms metricVladimír Čunát2024-05-202-0/+4
|/ | | | (cherry picked from commit 44df5dd0d0fedfae390e7137572bcb14270e4d48)
* Merge branch 'coverity' into 'master-5'Oto Šťáva2024-05-206-161/+32
|\ | | | | | | | | Coverity fixes See merge request knot/knot-resolver!1543
| * daemon/tls_ephemeral_credentials: fix possible race between read() and fstat()Oto Šťáva2024-05-201-1/+1
| |
| * .gitlab-ci: fail Coverity Scan on HTTP errorOto Šťáva2024-05-201-0/+1
| |
| * modules/hints: fix dname bounds checkOto Šťáva2024-05-201-1/+1
| | | | | | | | | | This check was introduced to fix Clang-Tidy errors, but was factually not completely correct, tripping Coverity Scan.
| * utils/cache_gc: use lib/generic/array instead of dynarrayOto Šťáva2024-05-203-159/+29
|/ | | | | This should appease Coverity Scan, and make the garbage collector consistent with the rest of the Resolver.
* .gitlab-ci: remove SonarCloud ScannerOto Šťáva2024-05-141-19/+0
| | | | | The detections are mostly academic and useless for our purposes. We have other static analyzers that better suit our needs.
* Merge branch 'ci-overhaul-2' into 'master'Oto Šťáva2024-05-1453-737/+313
|\ | | | | | | | | CI/CD overhaul See merge request knot/knot-resolver!1533
| * tests/pytests/utils: handle SSLEOFErrorOto Šťáva2024-05-131-1/+1
| | | | | | | | | | | | | | It used to just throw BrokenPipeError, but newer versions of Python have a separate exception for when the connection is closed in violation of TLS rules, which Knot Resolver does deliberately so as to not waste time on properly closing TLS connections with misbehaving peers.
| * test/pytests/test_tls: remove resumption testOto Šťáva2024-05-131-47/+0
| | | | | | | | | | | | | | | | Knot Resolver disables resumption on TLS <=1.2 as it is vulnerable to replay attacks, so the test makes no sense, as that one was specifically disabled for TLS >=1.3 (Python had no support for it at the time). We should make a new test for this with TLS 1.3 support.
| * tests/pytests: remove deprecated callsOto Šťáva2024-05-133-13/+8
| |
| * Silence Clang-TidyOto Šťáva2024-05-1334-113/+197
| | | | | | | | | | | | | | | | | | | | This commit makes lots of changes to the C code to appease the Clang-Tidy linter. Some of the less obvious ones are due to C's weird semantics regarding handling of numeric literals. We also disable a bunch of the detections because they are super-pedantic, arguably useless, or we have our own unwritten coding style rules that solve the issues.
| * .gitlab-ci, tests, modules: adapt to knot-resolver-ci repoOto Šťáva2024-05-1312-509/+99
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is the bulk of the CI/CD overhaul. Most of the changes are to the `.gitlab-ci.yml` file, where the build images used are replaced with the ones provided by the `knot-resolver-ci` repository. Some cleanups have also been done. The commit also adds unit testing with Knot Resolver built against multiple versions of Knot DNS, including the `master` branch. The `master` branch image is built nightly in the `knot-resolver-ci` repo. We have also removed `scan-build`, as its tests change frequently, with lots of false-positives, which are very different on each version, and there is no good way to ignore some detections. Clang-Tidy covers some of the same issues, and we also have Coverity Scan. Should be more than enough. A few config tests were also excluded in the AddressSanitizer tests, because they produce false-positives.
| * tests/dnstap: Go improvementsOto Šťáva2024-05-134-55/+9
|/ | | | | | - Do `go mod tidy` before running the test, even in CI - Add `go.sum` to `.gitignore` - Compatibility with Go 1.15 (Debian 11)
* Merge !1538: ci nixos: switch container image tagVladimír Čunát2024-05-091-1/+2
|\
| * ci nixos: switch container image tagVladimír Čunát2024-05-091-1/+2
|/ | | | | Unfortunately the `latest` tag is amd64 only right now, even though it did have both recently. I hope this will work reliably.
* Merge !1509: treewide: more compatibility with future libknot 3.4Vladimír Čunát2024-05-0610-33/+41
|\
| * treewide: more compatibility with future libknot 3.4Vladimír Čunát2024-05-063-12/+14
| | | | | | | | | | knot_wire_next_label used to return NULL when applied to . (root) but that's not allowed anymore, and some of our calls relied on that.
| * treewide: more compatibility with future libknot 3.4Vladimír Čunát2024-05-0610-22/+28
|/ | | | knot_wire_next_label isn't allowed with NULL wire anymore.
* Merge branch 'macos-fix' into 'master'Oto Šťáva2024-05-0213-25/+27
|\ | | | | | | | | Fix macOS GitHub actions See merge request knot/knot-resolver!1537
| * modules/*/meson.build: add missing dependenciesOto Šťáva2024-05-0213-24/+25
| |
| * .github/workflows/macOS: fix prefix for ARM macOSOto Šťáva2024-05-021-1/+2
|/
* Merge branch 'website-push-docs' into 'master'Oto Šťáva2024-04-161-0/+18
|\ | | | | | | | | gitlab-ci: push docs to the website (manual CI) See merge request knot/knot-resolver!1530
| * gitlab-ci: push docs to the website (manual CI)Oto Šťáva2024-04-101-0/+18
|/
* Merge branch 'nits' into 'master'Oto Šťáva2024-04-102-3/+1
|\ | | | | | | | | nits: unused variable, improved #include path See merge request knot/knot-resolver!1529
| * lib/dnssec nit: improve #include pathVladimír Čunát2024-04-081-1/+1
| | | | | | | | | | The issue was exposed when working on rrl-wip branch: lib/dnssec/nsec.c:19:10: fatal error: resolve.h: No such file or director
| * daemon/engine nit: drop an unused variableVladimír Čunát2024-04-081-2/+0
|/ | | | Reported by clang.
* Merge branch 'shared-libkres-fix' into 'master'Oto Šťáva2024-04-056-4/+35
|\ | | | | | | | | daemon/meson.build: add install_rpath to kresd See merge request knot/knot-resolver!1528
| * daemon/meson.build: add install_rpath to kresdOto Šťáva2024-04-056-4/+35
|/ | | | | | | | | | | | This fixes the default use-case for developers when they put their install prefix somewhere where the system `LD_LIBRARY_PATH` does not point. Before this, `kresd` would fail to start after `ninja install` because it would not be able to find the `libkres.so` library. The original workaround to this was to use `meson configure -Ddefault_library=static`, but firstly, we would like it to be working with the default settings, and secondly, we would like to have it as similar to what most users will encounter as possible.
* Merge branch 'release-5.7.2' into 'master'v5.7.2Aleš Mrázek2024-03-274-3/+7
|\ | | | | | | | | Release 5.7.2 See merge request knot/knot-resolver!1522
| * ci: obs: create venv and install apkgAleš Mrázek2024-03-271-0/+4
| |
| * scripts/update-authors: explicit '--no-show-signature'Oto Šťáva2024-03-271-1/+1
| | | | | | | | | | Fixes the script for users who have `log.showSignature` set to `true` in their git config.
| * Release 5.7.2Oto Šťáva2024-03-272-2/+2
|/
* Merge branch 'time_t' into 'master'Oto Šťáva2024-03-226-18/+45
|\ | | | | | | | | daemon/lua: fix on 32-bit systems with 64-bit time_t See merge request knot/knot-resolver!1510
| * daemon/lua: fix on 32-bit systems with 64-bit time_tVladimír Čunát2024-03-226-18/+45
|/ | | | | | This improves the heuristics. The problem would be detected by meson, but not when cross-compiling, in which case things would mostly run OK, except some lua code/modules.
* Merge !1501: various nitsVladimír Čunát2024-03-054-36/+52
|\
| * lib/dnssec: rename 'check_crypto_limit' to 'account_crypto_limit'Oto Šťáva2024-03-051-4/+7
| |
| * tests/integration/meson.build: refer to augeas as 'python-augeas'Oto Šťáva2024-03-051-1/+1
| | | | | | | | | | This is so that it is more obvious that the PyPI package actually has the `python-` prefix.
| * daemon/proxyv2: nitsOto Šťáva2024-03-052-31/+44
|/
* Merge branch 'keytrap-related' into 'master'Oto Šťáva2024-02-232-2/+2
|\ | | | | | | | | improve assertions around current releases See merge request knot/knot-resolver!1506
| * lib/cache: bump CACHE_VERSIONVladimír Čunát2024-02-231-1/+1
| | | | | | | | | | | | | | Ideally we would've done that at once with increasing NSEC3 strictness, i.e. in 5.7.1 + 6.0.6, as otherwise we could run into some recoverable assertions until the records got removed or expired. We at least do the bump now.
| * lib/dnssec: fix imprecise assertionVladimír Čunát2024-02-231-1/+1
|/ | | | It was no longer correct after commit cc5051b444130 (KeyTrap).
* release 5.7.1v5.7.1Aleš Mrázek2024-02-131-1/+1
|
* Merge: mitigate CVE-2023-50387 "KeyTrap"Vladimír Čunát2024-02-1312-11/+82
|\ | | | | | | | | DNSSEC verification complexity could be exploited to exhaust CPU resources and stall DNS resolvers. Solution boils down mainly to limiting crypto-validations per packet.
| * update NEWS with KeyTrapVladimír Čunát2024-02-131-0/+8
| | | | | | | | in a separate commit, as it will tend to conflict if patching
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-19 01:28:15 +0100